The Python Package Index (PyPI) repository, which serves over 700,000 users and 450,000 projects, was temporarily shut down over the weekend, leading to speculation about an unusual surge of malicious packages or a cyberattack. However, Ee Durbin, director of infrastructure for the Python Software Foundation, clarified that the shutdown was due to a lack of human capacity, with only one admin available to handle reports out of the usual three. The platform was back up and running by the evening of May 21 (UTC).
The temporary suspension of new user and project registrations on PyPI was attributed to an increase in malicious users and projects, which outpaced the administrators' ability to respond, especially with multiple PyPI administrators on leave. This led to concerns about the state of open-source security, with Peter Morgan, co-founder and CSO of Phylum, stating that the number of attacks has risen significantly over the past two years.
In Q1 2023, Phylum analyzed 2.8 million packages published on popular repositories like PyPI, npm, and Nuget, finding that 18,016 executed suspicious code upon installation, 6,099 referenced known malicious URLs, and 2,189 targeted specific organizations. Morgan pointed out that attackers are increasingly aware of how easy it is to pollute the open-source supply chain, with many not even attempting to hide their malicious packages.
Morgan emphasized the challenge faced by organizations using open-source software, as they have to defend against attackers who only need one successful attempt to infiltrate a system. This has led to calls for better package inspection, new tools to track dependencies, and software bills of materials (SBOMs). Ee Durbin advised that "regular caution should always be exercised when installing from a public index, whether in your projects or on the command line with 'pip install.'"
Durbin also mentioned that there are "exciting developments that will allow for much more sustainable and potentially automated handling of malware reports coming soon." The Python Software Foundation has added a security developer-in-residence role to improve Python security, and PyPI plans to hire a safety and security engineer to focus on the platform's security.
Durbin concluded by emphasizing the need to focus on finding and addressing malicious packages, as they are the primary means by which attackers are breaking into systems today. The future of supply chain security relies on maintaining clean public repositories and protecting against threats when they occur.